ActiveX detection and handling in mozilla-based browsers

ABSTRACT

A system and method is disclosed that allows ActiveX functionality to be conditionally invoked by a non-ActiveX-enabled browser, such as those based on Mozilla technology, through the implementation of user-defined controls to mitigate system security vulnerability. ActiveX controls can be identified from within a Mozilla-based browser and the user can be presented with a choice of actions instead of ActiveX controls being automatically downloaded and activated by a browser extension such as E View. By referencing one or more user-definable lists containing domains, URLs, and ActiveX controls along with their respective attributes the method of the invention allows a user to specify the preferred behavior of a non-IE browser when attempting to render Web pages containing ActiveX controls.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates in general to the field of informationhandling systems and more specifically, to the display of information onan information handling system using an internet browser.

2. Description of the Related Art

As the value and use of information continues to increase, individualsand businesses seek additional ways to process and store information.One option available to users is information handling systems. Aninformation handling system generally processes, compiles, stores, orcommunicates information or data for business, personal, or otherpurposes, thereby allowing users to take advantage of the value of theinformation. Because technology and information handling needs andrequirements vary between different users or applications, informationhandling systems may also vary regarding what information is processed,stored or communicated, and how quickly and efficiently the informationmay be processed, stored, or communicated. The variations in informationhandling systems allow for information handling systems to be general orconfigured for a specific user or specific use such as financialtransaction processing, airline reservation, enterprise data storage, orglobal communications. In addition, information handling systems mayinclude a variety of hardware and software components that may beconfigured to process, store, and communicate information, and mayinclude one or more computer systems, data storage systems, andnetworking systems.

Information handling systems continue to improve in their ability togenerate and manage information. Increasingly, this information isaccessed and interacted with through a browser application. Currently,one of the most popular browsers is Internet Explorer (IE), produced byMicrosoft. IE was originally designed to enable enhanced interactivecontent delivery to a user while supporting the broadest range of webpages without major problems. However, other browsers, such as thosebased on Mozilla technology, are now offering technical capabilities andfeatures not currently available with IE.

One of the features of the IE browser is its use of ActiveX, whichallows for the creation of applications that can be downloaded and runwithin the E browser. ActiveX encompasses a set of object-orientedprogramming tools and resource sharing technologies that are based onMicrosoft's Object Linking and Embedding (OLE) and Component ObjectModel (COM). When a program is written in the ActiveX environment, aself-sufficient component is created that can run anywhere in an ActiveXnetwork environment. This component is known as an ActiveX control,which is roughly equivalent to a Java applet. An advantage of such acomponent is that it can be reused by many applications, commonlyreferred to as application containers.

With the use of ActiveX, web pages can extend their functionality byproviding direct access to a computer's operating system and applicationprograms, thereby allowing them to be more dynamic and interactive.Since it is tightly integrated with the operating system, IE canfacilitate this interaction, as it makes full use of the accessibilityframework available within Windows. While advantageous in many regards,the embedding of these capabilities into IE can also create anenvironment conducive to the spread of malicious programs such asviruses, Trojan horses, and spyware infections. These hostile programstypically use ActiveX to automatically download onto a computer,activate themselves, and then propagate to other computers.

When an ActiveX control is about to be downloaded and run, it presents adigital signature, purportedly from the author of the program, and theuser is prompted whether or not to accept the download. The digitalsignature may be valid and legitimate or it could be a forgery presentedby an unscrupulous hacker. The user has two choices: either accept thedigital signature at face value and let the program proceed, or rejectit completely. ActiveX security relies on the user making the rightdecision about which digital signatures and/or programs to accept andwhich ones to reject. Accepting a malicious program that has beendisguised or misrepresented can result in unexpected, even catastrophic,results. Furthermore, hackers continue to discover and exploitadditional ActiveX vulnerabilities that can allow them to bypass thepresentation of digital signatures and then download and installmalicious software onto a computer without the user's knowledge.

A possible response in addressing these security issues is to usebrowsers that do not use ActiveX. One such browser is Firefox, which isbased on Mozilla technology and can be configured to automaticallydownload most files, but not “.exe” files, which are executableprograms. However, this approach does not fully address the issue of howto safely access the dynamic and interactive capabilities of Web sitesthat have extended their functionality by implementing ActiveX controls.

One current approach is the IE View extension for Firefox which allows auser to enter a list of domains or URLs which should be viewed in E.When Firefox intercepts one of these URLs, the extension automaticallylaunches IE with the intercepted URL. However, simply launching IE andrunning downloaded ActiveX controls can still introduce undesirablesecurity issues. What is needed are additional controls to limitsecurity vulnerabilities when ActiveX controls are implemented on auser's computer.

SUMMARY OF THE INVENTION

In accordance with the present invention, a system and method isdisclosed that allows ActiveX functionality to be conditionally invokedby a non-ActiveX-enabled browser through the implementation ofuser-defined controls to mitigate system security vulnerability. It willbe apparent to those of skill in the art that that one approach tomitigating ActiveX security issues is to use browsers, such as Firefox,that do not implement ActiveX controls. For example, ActiveX controlscan be identified from within Firefox and the user can be presented witha choice of actions instead of ActiveX controls being automaticallydownloaded and activated by IE View.

In an embodiment of the invention, an extension to Firefox can beimplemented that can identify the presence of ActiveX controls within aweb site. Each ActiveX control is then identified by its UniversallyUnique Identifier (UUID), which is captured along with the URL of thepage that contains it. In this same embodiment, once an ActiveX controlhas been identified by its UUID and URL location, it can be comparedagainst one or more lists. For example, a list could contain a user'spersonal preference list of ActiveX controls, URLs and domains to beopened in IE. Another list could contain a user's personal preferencelist of ActiveX controls, URLs and domains to be filtered. A third listcould be distributed with the Firefox extension, containing apre-defined (and updatable) “white” list of known good ActiveX controls,URLs and domains coupled with a recommendation that they be opened inIE. Conversely, a fourth list could be distributed with the Firefoxextension, containing a pre-defined (and updatable) “black” list ofknown bad ActiveX controls, URLs and/or domains coupled with arecommendation that they be filtered. In an embodiment of the invention,if a URL or domain containing ActiveX controls is not found on any ofthe lists described in more detail hereinabove, the user can bepresented with a dialog offering different options, such as “filter theActiveX controls and attempt to render the page without them” or “passthe URL to IE to view the page and install ActiveX controls.”

In an embodiment of the invention, the list of ActiveX controls, URLsand/or domains recommended to be opened with IE can be automaticallypopulated. In an embodiment of the invention, the list of ActiveXcontrols, URLs and/or domains recommended to be opened with IE can bemanually populated. In an embodiment of the invention, an override listof ActiveX controls, URLs and/or domains recommended to be opened withIE can be implemented. In an embodiment of the invention, an historicallist of ActiveX controls, URLs and/or domains opened with IE can beimplemented. In an embodiment of the invention, an option can bepresented to the user to perform the chosen action whenever the ActiveXcontrol, URL and/or domain is encountered in the future. Those of skillin the art will realize that many such embodiments and variations of theinvention are possible, including but not limited to those describedhereinabove, which are by no means all inclusive.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention may be better understood, and its numerousobjects, features and advantages made apparent to those skilled in theart by referencing the accompanying drawings. The use of the samereference number throughout the several figures designates a like orsimilar element.

FIG. 1 is a generalized illustration of an information handling systemthat can be used to implement the method and apparatus of the presentinvention.

FIG. 2 is a generalized flow chart illustrating one embodiment of thepresent invention as implemented to render Web pages containing ActiveXcontrols using a non-IE browser.

FIG. 3 is a generalized flow chart illustrating one embodiment of thepresent invention as implemented to manage lists of ActiveX controls,URLs and domains that can be referenced by a non-IE browser whenattempting to render Web pages containing ActiveX controls.

DETAILED DESCRIPTION

FIG. 1 is a generalized illustration of an information handling system100 that can be used to implement the system and method of the presentinvention. The information handling system includes a processor (e.g.,central processor unit or “CPU”) 102, input/output (I/O) devices 104,such as a display, a keyboard, a mouse, and associated controllers, ahard drive or disk storage 106, various other subsystems 108, networkport 110, and system memory 112, all interconnected via one or morebuses 114. Operating system 116 resides in system memory 112 and in anembodiment of the invention supports an implementation of InternetExplorer (IE) browser 118 which can be utilized by the present inventionfor implementation of ActiveX control 120. Operating system 116 furthersupports an implementation of a non-IE browser, such as Firefox browser122, which does not support ActiveX controls, but can supportimplementation of the IE View extension 124 for Firefox browser 122,which in turn can invoke IE to render Web pages containing ActiveXcontrols. Firefox browser 122 can also support various implementationsof the present invention through extension 126, which can provide morecontrol over the implementation of E View extension 124 when it invokesIE to render Web pages containing ActiveX controls.

In an embodiment of the present invention, information handling system100 communicates through network port 110 to a private (e.g., securedcorporate network), public (e.g., the Internet), or hybrid (e.g., aprivate Intranet implemented on the public Internet) network 128 whichcan be but is not limited to, a local area network (LAN), a wide areanetwork (WAN), a virtual network (VNET), or any combination ofcommunication technologies and/or protocols that may be required tointeract with one or more Web pages 140, which may contain ActiveXcontrols.

For purposes of this disclosure, an information handling system mayinclude any instrumentality or aggregate of instrumentalities operableto compute, classify, process, transmit, receive, retrieve, originate,store, display, manifest, detect, record, reproduce, handle, or utilizeany form of information, intelligence or data for business, scientific,control or other purposes. For example an information handling systemmay be a personal computer, a network storage device, or any othersuitable device and may vary in size, shape performance, functionality,and price. The information handling system may include random accessmemory (RAM), one or more processing resources such as a centralprocessing unit (CPU) or hardware or software control logic, read onlymemory (ROM), and/or other types of nonvolatile memory. Additionalcomponents of the information handling system may include one or moredisk drives, one or more network ports for communicating with externaldevices as well as various input and output (I/O) devices, such as akeyboard, a mouse, and a video display. The information handling systemmay also include one or more buses operable to transmit communicationsbetween the various hardware components.

FIG. 2 is a generalized flow chart illustrating one embodiment of thepresent invention as implemented to render Web pages containing ActiveXcontrols when using a non-IE browser. In step 202, a non-IE browser,such as Firefox, communicates with a Web URL 204. The Web URL 204returns information to the Firefox browser including, but not limitedto, the Universal Unique Identifier (UUID) of any ActiveX controlsresiding in the URL. Processing then proceeds to step 206 where a testis conducted to determine whether any ActiveX controls have beendetected. If the result of the test conducted in step 206 indicates thatno ActiveX controls have been detected, processing returns to step 202.If, however, the result of the test conducted in step 206 indicates thatActiveX controls have been detected, processing proceeds to step 208where the user is notified that the Web URL contains ActiveX controlsand the user decides whether to proceed and render the URL containingActiveX controls using IE. If the user decides not to proceed,processing returns to step 202 and the Firefox browser continues tomonitor URLs for the presence of ActiveX controls. If, however, theresult of step 208 is a decision to proceed, processing proceeds to step210 where a test is conducted to determine whether IE View is installedand active on the user's computer. If the result of the test conductedin step 210 indicates that IE View is not installed, processing proceedsto step 212 where the user is prompted to make a decision whether toinstall WE View. If the result of step 212 is a decision not to installIE View, processing returns to step 208. If, however, step 212 resultsin a decision to install E View, processing proceeds to step 214 whereIE View is installed.

Returning to step 210, it the result of the test conducted in that stepindicates that IE View is installed, processing proceeds to step 216where a test is conducted to determine whether the URL or the ActiveXcontrol is on a “bad” list. If the result of the test conducted in step216 indicates that the URL or the ActiveX control is on a “bad” list,processing proceeds to step 217 where the user is notified and promptedfor a decision whether to proceed. If the user elects to proceed,processing proceeds to step 224 where the user is prompted for adecision regarding whether to invoke IE. If the user decides not toinvoke IE, processing returns to step 202. If, however, the user decidesto invoke IE view, processing proceeds to step 226 where the URL orActiveX controls are rendered using Internet Explorer. If the result ofthe test conducted in step 216 indicates that the URL or ActiveX controlis not on a “bad” list, processing proceeds to step 218 where a test isconducted to determine whether the URL or ActiveX control is on a “good”list. As will be discussed in greater detail hereinbelow, the possible“good” lists include: 1) a “whitelist” of known good or “trusted” URLsand ActiveX controls; 2) a user-defined personal preference list of URLsand ActiveX controls; and 3) a user-defined filter list of URLs andActiveX controls.

If the result of the test conducted in step 218 indicates that the URLor the ActiveX control is on a “good” list, processing proceeds to step224 followed by step 226, as discussed hereinabove. If, however, theresult of the test conducted in step 218 indicates that the URL orActiveX control is not on a “good” list, processing proceeds to step 220where the user is prompted to make a decision whether to add the URL orActiveX control to a “good” list. If the decision made in step 220 is toadd the URL to a “good” list, processing proceeds to step 222 where theURL and/or ActiveX control is added to a “good” list. Processing thenproceeds to steps 224-226 as discussed above. If the result of step 220is a decision not to add the URL or ActiveX control to the “good” list,processing proceeds to step 228 where the user is prompted for adecision regarding whether to add the URL or ActiveX control to the“bad” list. If the result of step 228 is to add the URL or ActiveXcontrol to the “bad” list, processing proceeds to step 229; otherwise,processing returns to step 202.

In an embodiment of the invention Java Script can be implemented todetect the presence of ActiveX controls within a domain or URL (step206) and the presence of IE View on system (step 210). The follow is anexample of a Java Script that can be used to accomplish theaforementioned steps:

<head> <script language=”JavaScript” type=”text/javascript”> <!- if(window.ActiveXObject || IEView.installed) {  // Do Active X things inIE and populate IEView } else if (window.ActiveXObject) {  // Do ActiveX things only in IE, and not populate IEView} else {  // Don't do AciveX things } //--> </script> </head>

In this embodiment of the invention, the Java Script presumes that abrowser that is not ActiveX-enabled has contacted a Web URL, data hasbeen returned, ActiveX controls can be detected within the URL data, andthe user can be queried to allow ActiveX controls to implemented torender the URL. If IE View is installed, the user can be prompted toinvoke IE as described above. If the user responds affirmatively, the IEView URL database can populated, IE can be invoked, and the URL can berendered with ActiveX controls. Alternatively, if E View has not beeninstalled, the user can be prompted to manually invoke IE to render theURL with ActiveX controls, or to not invoke E and not render the URLwith ActiveX controls.

FIG. 3 is a flow chart illustration of an embodiment of the presentinvention for implementing multiple options for the management of listsof ActiveX controls, URLs, and domains that can be referenced by anon-IE browser when attempting to render Web pages containing ActiveXcontrols. In step 302, a test is conducted to determine whether the URLor ActiveX control is on a “good” list. If the result of the testconducted in step 302 indicates that the URL or ActiveX control is on a“good” list, processing proceeds to step 304 where a test is conductedto determine whether the URL or ActiveX control is on a “White” list. Ifthe result of the test conducted in step 304 indicates that the URL orActiveX control is on a “White” list, processing proceeds to step 306where the “White” list browser parameters are applied. If, however, theresult of the test conducted in step 304 indicates that the URL orActiveX control is not on a “White” list, processing proceeds to step308 where a test is conducted to determine whether the URL or ActiveXcontrol is on a Personal Preference List. If the result of the testconducted in step 308 indicates that the URL or ActiveX control is on aPersonal Preference List, processing proceeds to step 310 where thePersonal Preference browser parameters are applied to the URL or ActiveXcontrol. If, however, the result of the test conducted in step 308indicates that the URL or ActiveX control is not on a PersonalPreference List, processing proceeds to step 312 where a test isconducted to determine whether the URL or ActiveX control is on apersonal filter list. If the result of the test conducted in step 312indicates that the URL or ActiveX control is on a personal filter list,processing proceeds to step 314 where the personal filter browserparameters are applied to the URL or ActiveX control.

Returning to step 302, if the result of that processing step indicatesthat the URL or ActiveX control is not on a “good” list, processingproceeds to step 316 where the user is prompted regarding a decisionwhether to add the URL or ActiveX control to a “White” list. If theresult of step 316 is a decision to add the URL or ActiveX control to a“White” list, processing proceeds to step 318 where the “White” list isupdated to include the URL or ActiveX control. Processing then proceedsto step 320 where the user is prompted regarding a decision whether toautomatically add the designated URL or ActiveX controls to the “White”list in the future. If the result of step 320 is a decision to add theURLs or ActiveX controls automatically, processing proceeds to step 322where the designated URLs or ActiveX controls are automaticallyassociated with the appropriate designated list, e.g., the “White” list.Processing then proceeds to step 224 as discussed hereinabove inconnection with FIG. 2.

If the result of step 316 is not to add the URL or ActiveX control tothe “White” list, processing proceeds to step 324 where the user isprompted for a decision whether to add the URL or ActiveX control to aPersonal Preference List. If the result of step 324 is a decision to addthe URL or ActiveX control to a Personal Preference List, processingproceeds to step 326 followed by steps 320-322 as discussed hereinabove.If, however, the result of step 324 is a decision not to add the URL orActiveX control to a Personal Preference List, processing proceeds tostep 328 where the user is prompted for a decision whether to add theURL or ActiveX control to a personal filter list. If the result of step328 is a decision to add the URL or ActiveX control to the personalfilter list, processing proceeds to step 330, followed by steps 320-322as discussed above. If, however, the result of step 328 is a decisionnot to add the URL or ActiveX control to a personal filter list,processing proceeds to step 228 where a decision is made whether toplace the URL or ActiveX control on a “bad” list, as discussed above inconnection with FIG. 2.

Skilled practitioners in the art will recognize that many otherembodiments and variations of the present invention are possible. Inaddition, each of the referenced components in this embodiment of theinvention may be comprised of a plurality of components, eachinteracting with the other in a distributed environment. Furthermore,other embodiments of the invention may expand on the referencedembodiment to extend the scale and reach of the system's implementation.

1. A method for managing the display of information on an information handling system, comprising: initiating a first internet browser operable to access an internet URL, said first internet browser not operable to render an ActiveX control; using said first internet browser to obtain a set of data parameters associated with said internet URL; analyzing said data parameters to identify predetermined display control parameters associated with said internet URL, said predetermined display control parameters corresponding to said ActiveX control; generating a request to display video data associated with said Internet URL in a second internet browser operable to render said ActiveX control, said request displayed within said first internet browser; and conditionally executing said second internet browser to display said video data, wherein said conditional execution is initiated in response to receipt of user input data within said first internet browser authorizing said display of video data, wherein said display of video data is based upon rendering of said ActiveX control within said second internet browser.
 2. The method of claim 1, wherein said video data comprises universally unique identifiers (UUIDs) associated with said predetermined display control parameters for displaying video data.
 3. The method of claim 2, wherein said second internet browser comprises an Internet Explorer View (IEView) application.
 4. The method according to claim 3, further comprising generating a plurality of classification lists of URLs wherein video data associated with URLs on said preference lists is classified for display using said first and second internet browser.
 5. The method according to claim 4, wherein said plurality of classification lists are generated automatically based on information correlated with said UUIDs.
 6. The method of claim 4, wherein said plurality of classification lists comprises a list of known good UUIDs wherein said second internet browser is executed and wherein video data is displayed using IEView and said ActiveX controls.
 7. The method of claim 4, wherein said plurality of classification lists comprises a user-defined preference list of URLs wherein said second internet browser is executed and wherein video data is displayed using IE view and said ActiveX controls.
 8. The method of claim 4, wherein said plurality of classification lists comprises a user-defined filtered list of URLs, wherein said second internet browser is not executed and wherein video data is displayed using said first internet browser.
 9. The method of claim 4, wherein said plurality of classification lists comprises a list of known bad applications, wherein said second internet browser is not executed and wherein video data is displayed using said first internet browser.
 10. An information handling system operable to manage the display of visual information received from an internet web page, comprising: storage media having executable code stored thereon, said executable code comprising a first internet browser and a second internet browser to access an internet URL, said first internet browser not operable to render an ActiveX control and said second internet browser operable to render an ActiveX control; a processor operable to execute said code, said processor further operable to: use said first internet browser to obtain a set of data parameters associated with said internet URL; analyze said data parameters to identify predetermined display control parameters associated with said internet URL, said predetermined display control parameters corrsponding to said ActiveX control; generate a request to display video data associated with said Internet URL in a said second internet browser, said request displayed within said first internet browser; and conditionally execute said second internet browser to display said video data, wherein said conditional execution is initiated in response to receipt of user input data within said first internet browser authorizing said display of video data, wherein said display of video data is based upon rendering of said ActiveX control within said second internet browser.
 11. The information handling system of claim 10, wherein said video data comprises universally unique identifiers (UUIDs) associated with said predetermined display control parameters for displaying video data.
 12. The information handling system of claim 11, wherein said second internet browser comprises an Internet Explorer View (IEView) application.
 13. The information handling system according to claim 12, further comprising generating a plurality of classification lists of URLs wherein video data associated with URLs on said preference lists is classified for display using said first and second internet browser.
 14. The information handling system according to claim 13, wherein said plurality of classification lists are generated automatically based on information correlated with said UUIDs.
 15. The information handling system of claim 13, wherein said plurality of classification lists comprises a list of known good UUIDs wherein said second internet browser is executed and wherein video data is displayed using IEView and said ActiveX controls.
 16. The information handling system of claim 13, wherein said plurality of classification lists comprises a user-defined preference list of URLs wherein said second internet browser is executed and wherein video data is displayed using IE view and said ActiveX controls.
 17. The information handling system of claim 13, wherein said plurality of classification lists comprises a user-defined filtered list of URLs, wherein said second internet browser is not executed and wherein video data is displayed using said first internet browser.
 18. The information handling system of claim 13, wherein said plurality of classification lists comprises a list of known bad applications, wherein said second internet browser is not executed and wherein video data is displayed using said first internet browser. 